| 5 Sep 2021 |
 baloo | iirc, yeah | 19:53:54 |
 Zhaofeng Li | Are you sure you are running the command above? | 19:53:55 |
| Zhaofeng Li | Because pkgs.fetchurl uses curl CLI and it does work | 19:54:47 |
| Zhaofeng Li | Only <nix/fetchurl.nix> seems to be affected | 19:55:02 |
| baloo | ha could be. | 19:58:29 |
| baloo | running the same strace here, and it looks like you're correct, it does not execve curl | 19:59:10 |
| baloo | but ... I still see: | 19:59:16 |
| baloo | [pid 137791] openat(AT_FDCWD, "/nix/store/9bh3986bpragfjmr32gay8p95k91q4gy-glibc-2.33-47/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 10
| 19:59:23 |
| baloo | that works fine ... | 19:59:28 |
| baloo | huuum | 19:59:41 |
| baloo | could you share the output of mount? | 19:59:52 |
| baloo | is /nix/store in the same filesystem than /? | 20:00:11 |
| Zhaofeng Li | No, different filesystem | 20:00:35 |
| baloo | ha! | 20:00:47 |
 tomberek | would using nixUstable to run the build help? | 20:00:55 |
| Zhaofeng Li | @tomberek I'm using nixUnstable | 20:01:11 |
| baloo | tomberek: https://github.com/NixOS/nix/issues/5089#issuecomment-905193921 tried both in a nix tests here | 20:01:27 |
| baloo | both were working fine | 20:01:35 |
| baloo | but the filesystem of /nix/store being different than /, that could be a mount namespace issue | 20:02:13 |
| Zhaofeng Li | Ok, I looked at the logs a bit closer, and it looks like the NSS loading hack didn't really work. getaddrinfo doesn't seem to load libnss_dns | 20:04:58 |
| Zhaofeng Li | It opens a socket to nscd and doesn't load libnss_dns at all. | 20:05:32 |
 Rick (Mindavi) | I'm also using different filesystems for / and for /nix/store | 20:05:48 |
| Zhaofeng Li | So when the builder runs it's already sandboxed and won't be able to load in the library | 20:05:55 |
| Zhaofeng Li | * So when the builder calls libcurl it's already sandboxed and won't be able to load in the library | 20:06:23 |
| baloo | yup, that would make sense. | 20:06:27 |
| baloo | [pid 137783] socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 12
[pid 137783] connect(12, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = 0
[pid 137783] sendto(12, "\2\0\0\0\16\0\0\0000\0\0\0this.pre-initializes.the.dns.resolvers.invalid.\0", 60, MSG_NOSIGNAL, NULL, 0) = 60
[pid 137783] poll([{fd=12, events=POLLIN|POLLERR|POLLHUP}], 1, 5000) = 1 ([{fd=12, revents=POLLIN}])
[pid 137783] read(12, "\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 24) = 24
[pid 137783] close(12) = 0
here (where it works), and similar on your log
| 20:08:35 |
| Zhaofeng Li | I think it's actually a bug that it worked with / and /nix/store in the same filesystem. It shouldn't have worked with the sandbox. | 20:09:57 |
| baloo | In reply to @zhaofeng:zhaofeng.li
I think it's actually a bug that it worked with / and /nix/store in the same filesystem. It shouldn't have worked with the sandbox. I think so too. | 20:10:13 |
| Zhaofeng Li | So it seems we need a better hack to pull in libnss | 20:10:16 |
| baloo | I have to run, but I'll have a look at it a bit later | 20:10:42 |
